Skip to content
Ttoolab Ttoolab Ttoolab Docs

Authentication

SDK endpoints (browser)

Section titled “SDK endpoints (browser)”

The public SDK endpoints used by the Ttoolab pixel do not use API key authentication.

Instead, requests are scoped by:

| Credential | Where | Purpose | | :--------- | :---- | :------ | | projectKey | Query param or request body | Identifies your project | | anonymousId | Query param or request body | Identifies the browser visitor |

Example bootstrap request:

GET https://sdk.ttoolab.com/sdk/bootstrap?projectKey=PROJECT_KEY&anonymousId=ANONYMOUS_ID&url=https%3A%2F%2Fexample.com%2F

No Authorization header is required.

Webhooks (server-to-server)

Section titled “Webhooks (server-to-server)”

Webhooks are sent from Ttoolab to your server. You verify authenticity using the webhook signing secret — see Webhook security.

Dashboard and management APIs

Section titled “Dashboard and management APIs”

Operations like creating experiments, publishing, and managing team members require user authentication through the Ttoolab dashboard (Supabase Auth). These are internal APIs and are not part of the public documentation.

Public management API (not available)

Section titled “Public management API (not available)”

If Ttoolab releases a public REST API in the future, authentication will likely use bearer tokens:

Terminal window
curl https://api.ttoolab.com/v1/projects \
  -H "Authorization: Bearer YOUR_API_KEY"

This pattern is not currently available. Do not use api.ttoolab.com unless officially announced.

Security recommendations

Section titled “Security recommendations”
  • Keep projectKey in client-side code — it is a public identifier, similar to a Google Analytics measurement ID.
  • Never put webhook secrets, service role keys, or OAuth tokens in frontend code.
  • Rotate webhook secrets if you suspect compromise (via the dashboard).

Next steps

Section titled “Next steps”